I wanted restrict the number of connections used by a single IP address to my server for port 3128 using iptables.
iptables:
Code: Select all
....
-A INPUT -i eno2 -p tcp --syn --sport 1024:65535 --dport 3128 -m connlimit --connlimit-above 20 -j REJECT --reject-with tcp-reset
-A INPUT -i eno2 -p tcp --syn --sport 1024:65535 --dport 3128 -m connlimit --connlimit-above 21 -j LOG --log-prefix "Connlimit exeed detected"
....
Code: Select all
netstat -an|grep 'xx.xx.xx.xx:3128'|grep 'ESTABLISHED'|cut -d':' -f2|cut -d' ' -f8|sort|uniq -c|sort -n
...
74 10.154.69.70
74 10.38.77.91
77 10.22.71.131
79 10.3.27.24
88 10.54.47.138
Jul 6 16:41:28 proxy kernel: Connlimit exeed detectedIN=eno2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=10.22.141.148 DST=xx.xx.xx.xx LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=452 DF PROTO=TCP SPT=49282 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 6 16:41:29 proxy kernel: Connlimit exeed detectedIN=eno2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=10.22.141.148 DST=xx.xx.xx.xx LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=553 DF PROTO=TCP SPT=49237 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 6 16:41:29 proxy kernel: Connlimit exeed detectedIN=eno2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=10.22.141.148 DST=xx.xx.xx.xx LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=552 DF PROTO=TCP SPT=49236 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
Jul 6 16:41:30 proxy kernel: Connlimit exeed detectedIN=eno2 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=10.22.141.148 DST=xx.xx.xx.xx LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=642 DF PROTO=TCP SPT=49288 DPT=3128 WINDOW=8192 RES=0x00 SYN URGP=0
Why first rule is not work, but second is work...?
Is there something wrong with my rules or my interpretation of concurrent connections?
Code: Select all
#iptables -V
iptables v1.4.21
#uname -a
Linux proxy 3.10.0-229.7.2.el7.x86_64 #1 SMP Tue Jun 23 22:06:11 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux